Merge branch 'release/v0.6.0'

CHANGELOG.md

@@ -3,7 +3,23 @@
 All notable changes to this project will be documented in this file.
 This project adheres to [Semantic Versioning](http://semver.org/).
 
-## [Unreleased](https://github.com/passbolt/passbolt_install_scripts/compare/v0.5.1...HEAD)
+## [Unreleased](https://github.com/passbolt/passbolt_install_scripts/compare/v0.6.0...HEAD)
+
+## [0.6.0](https://github.com/passbolt/passbolt_install_scripts/compare/v0.6.0..v0.5.2) - 2021-02-25
+
+This release of the install scripts deprecates the [ubuntu](https://help.passbolt.com/hosting/install/ce/ubuntu/ubuntu.html) and [debian](https://help.passbolt.com/hosting/install/ce/debian/debian.html) installation scripts in favour of the passbolt debian and ubuntu packages.
+From now on this repository aims to support only Centos and RedHat installations.
+
+### Added
+
+- Support for centos8 #16 Thanks to @TheDeadGuy
+
+### Changed
+- Composer installs v2
+- Check firewalld is running before doing changes
+- Nginx SSL config update #15 Thanks to @garretboone
+- Nginx does not include intermediate Letsencrypt certs #17
+
 
 ## [0.5.2](https://github.com/passbolt/passbolt_install_scripts/compare/v0.5.2..v0.5.1) - 2020-10-26
 

build_scripts.sh

@@ -44,7 +44,7 @@ build() {
   local os=$1
   local output=dist/"$os"/passbolt_ce_"$os"_installer.sh
 
-  if ! [[ "$os" =~ ^(debian|ubuntu|centos|redhat)$ ]]; then
+  if ! [[ "$os" =~ ^(debian|ubuntu|centos7|centos8|redhat)$ ]]; then
     error "Distribution not supported"
   fi
 
@@ -71,12 +71,11 @@ build() {
     cat "$initializer" >> "$output";
   done
 
-  if [ "$os" == "centos" ] || [ "$os" == "redhat" ]; then
+  if [ "$os" == "centos7" ] || [ "$os" == "redhat" ] || [ "$os" == "centos8" ]; then
     for helper in lib/helpers/"$os"/*.sh; do
       cat "$helper" >> "$output";
     done
   fi
-
   if [ "$os" == "ubuntu" ]; then
     for helper in lib/helpers/"$os"/*.sh; do
       cat "$helper" >> "$output";
@@ -115,6 +114,8 @@ while getopts "chd:" opt; do
       checksum debian 10
       compress centos 7
       checksum centos 7
+      compress centos 8
+      checksum centos 8
       compress ubuntu 18.04
       checksum ubuntu 18.04
       compress redhat EXPERIMENTAL

conf/centos8/constants.sh

@@ -0,0 +1,13 @@
+readonly OS='centos'
+readonly OS_SUPPORTED_VERSION="8.0"
+readonly OS_VERSION_FILE="/etc/centos-release"
+readonly FPM_WWW_POOL="/etc/php-fpm.d/www.conf"
+readonly FPM_SERVICE="php-fpm"
+readonly WWW_USER="nginx"
+readonly WWW_GROUP="nginx"
+readonly WWW_USER_HOME="/var/lib/nginx"
+readonly GNUPG_HOME='/var/lib/nginx/.gnupg'
+readonly CRONTAB_DIR='/var/spool/cron/'
+readonly REMI_PHP_URL='http://rpms.remirepo.net/enterprise/remi-release-8.rpm'
+readonly REMI_PHP_VERSION='remi-7.3'
+readonly PHP_EXT_DIR='/etc/php.d'

conf/centos8/packages.txt

@@ -0,0 +1,17 @@
+php-intl
+php-gd
+php-mysql
+php-pear
+php-devel
+php-mbstring
+php-fpm
+php-ldap
+gcc
+gpgme-devel
+git
+policycoreutils-python-utils
+nginx
+unzip
+wget
+certbot
+pinentry

conf/nginx/passbolt_ssl.conf

@@ -1,6 +1,6 @@
 server {
-  listen [::]:443;
-  listen 443;
+  listen [::]:443 ssl http2;
+  listen 443 ssl http2;
   server_name _SERVER_NAME_;
   client_body_buffer_size     100K;
   client_header_buffer_size   1k;
@@ -10,13 +10,17 @@ server {
   client_header_timeout 10;
   keepalive_timeout     5 5;
   send_timeout          10;
-  ssl on;
+
   ssl_certificate     _NGINX_CERT_FILE_;
   ssl_certificate_key _NGINX_KEY_FILE_;
-  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-  ssl_prefer_server_ciphers on;
-  ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:@STRENGTH";
+  # ssl_dhparam         _NGINX_DHPARAM_FILE_;
+
+  ssl_session_timeout 1d;
+  ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
   ssl_session_tickets off;
+  ssl_protocols TLSv1.2 TLSv1.3;
+  ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+  ssl_prefer_server_ciphers off;
 
   root /var/www/passbolt/webroot;
   index index.php;

conf/redhat/constants.sh

@@ -9,3 +9,4 @@ readonly WWW_USER_HOME="/var/opt/rh/rh-nginx116/lib/nginx"
 readonly GNUPG_HOME='/var/lib/nginx/.gnupg'
 readonly CRONTAB_DIR='/var/spool/cron/'
 readonly PHP_EXT_DIR='/etc/opt/rh/rh-php73/php.d'
+readonly RH_VERSION='7'

lib/helpers/centos7/setup_firewall.sh

@@ -0,0 +1,18 @@
+check_firewall() {
+  systemctl is-active firewalld
+}
+
+setup_firewall() {
+  local zone=public
+  local services=(http https)
+  banner "Opening ports 80 and 443 on firewall"
+
+  if check_firewall; then
+    for i in "${services[@]}"; do
+      firewall-cmd --permanent --zone="$zone" --add-service="$i"
+    done
+    enable_service firewalld
+  else
+    echo "Firewalld is not active."
+  fi
+}

lib/helpers/centos/setup_yum.sh → lib/helpers/centos7/setup_yum.sh

@@ -3,19 +3,28 @@ setup_yum() {
   case $os in
     centos)
       install_packages "yum-utils epel-release $REMI_PHP_URL"
-      yum-config-manager --enable "$REMI_PHP_VERSION"
+      if [ "$OS_SUPPORTED_VERSION" == "7.0" ]; then
+        yum-config-manager --enable "$REMI_PHP_VERSION"
+      else
+        yum-config-manager --enable remi powertools baseos 
+        dnf module enable php:"$REMI_PHP_VERSION"
+      fi
       ;;
     redhat)
       enable_repos
       if ! yum list installed | grep epel-release; then
-        install_packages "https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm"
+        install_packages "https://dl.fedoraproject.org/pub/epel/epel-release-latest-${RH_VERSION}.noarch.rpm"
       fi
   esac
 }
 
 
 enable_repos() {
-  local repos=(rhel-server-rhscl-7-rpms rhel-7-server-extras-rpms rhel-7-server-optional-rpms)
+  local repos=(
+            "rhel-server-rhscl-${RH_VERSION}-rpms" 
+            "rhel-${RH_VERSION}-server-extras-rpms" 
+            "rhel-${RH_VERSION}-server-optional-rpms"
+          )
   local enabled_repos=""
 
   enabled_repos="$(subscription-manager repos --list-enabled | grep 'Repo ID' | awk '{print $3}')"

lib/helpers/centos8

@@ -0,0 +1 @@
+centos7

lib/helpers/redhat

@@ -1 +1 @@
-centos
+centos7

lib/helpers/setup_composer.sh

@@ -16,7 +16,7 @@ composer_install() {
   local www_user="$1"
   banner "Installing composer..."
 	composer_check_signature
-  php composer-setup.php --1 --install-dir=/usr/bin
+  php composer-setup.php --install-dir=/usr/bin
   php -r "unlink('composer-setup.php');"
 
   banner "Installing composer dependencies..."

lib/helpers/setup_nginx.sh

@@ -36,7 +36,7 @@ setup_nginx(){
   if [[ "$(__config_get 'ssl_auto')" == 'true' ]]; then
     if __setup_letsencrypt 'passbolt_hostname' 'letsencrypt_email'; then
       __nginx_config "$script_directory/conf/nginx/passbolt_ssl.conf" "$NGINX_SITE_DIR/passbolt_ssl.conf" 'passbolt_hostname'
-      ln -s "$LETSENCRYPT_LIVE_DIR/$passbolt_domain/cert.pem" "$SSL_CERT_PATH"
+      ln -s "$LETSENCRYPT_LIVE_DIR/$passbolt_domain/fullchain.pem" "$SSL_CERT_PATH"
       ln -s "$LETSENCRYPT_LIVE_DIR/$passbolt_domain/privkey.pem" "$SSL_KEY_PATH"
       __ssl_substitutions
       enable_service "$nginx_service"

lib/main/centos8

@@ -0,0 +1 @@
+centos7

tests/integration/integration_centos_test.bats

@@ -73,7 +73,7 @@
 }
 
 @test "it has cron job set up" {
-  sudo grep "* * * * * /var/www/passbolt/bin/cake EmailQueue.sender" /var/spool/cron/nginx
+  sudo grep "* * * * * /var/www/passbolt/bin/cron" /var/spool/cron/nginx
 }
 
 @test "gpg keyring is in place" {
@@ -82,7 +82,7 @@
 }
 
 @test "webinstaller is running" {
-  result="$(curl --header 'Host: passbolt.local' -s -o /dev/null -w "%{http_code}" http://127.0.0.1)"
+  result="$(curl --header 'Host: passbolt.local' -s -o /dev/null -w "%{http_code}" http://127.0.0.1/install)"
   [ "$result" = '200' ]
 }